TL;DR: The cybersecurity community just gained unprecedented insight into the operations of one of the world's most active ransomware groups. As researchers delve into the wealth of information this leak provides, it is likely that new revelations about Black Basta's tactics, targets, and internal dynamics will come to light. In an unprecedented breach, over a year of internal communications from the notorious ransomware syndicate Black Basta have leaked online, exposing the inner workings, strategies, and internal conflicts of one of today's most active and dangerous cybercriminal groups.The leak consists of over 200,000 messages exchanged by Black Basta members on the Matrix chat platform between September 2023 and September 2024. The source of the leak remains unknown it was posted by a user called "ExploitWhispers" on MEGA and later on Telegram but the individual responsible claims the action was taken in retaliation for Black Basta's attacks on Russian banks. It is unclear whether the leaker is an insider or an external actor who managed to gain access to these confidential communications.Black Basta's reputation as a formidable threat to global cybersecurity is well-established. In 2023, the FBI and Cybersecurity and Infrastructure Security Agency reported that the group had targeted 12 out of 16 critical infrastructure sectors in the United States, with attacks on 500 organizations worldwide. Their high-profile victims include Ascension, a major U.S. healthcare provider, Hyundai Europe, U.K. outsourcing firm Capita, the Chilean Government Customs Agency, and Southern Water, a U.K. utility company.The leaked communications reveal significant internal tensions within the group, particularly following the arrest of one of its leaders. This event has heightened fears among members about potential exposure to law enforcement. The current leader, believed to be Oleg Nefedov, has come under fire from his subordinates for decisions that have put the group at greater risk, including targeting a Russian bank. // Related StoriesResearchers analyzing the Russian-language texts have uncovered details about other key members of Black Basta, including two administrators known as Lapa and YY, and a threat actor named Cortes, who has links to the Qakbot ransomware group.The leaked communications also confirm what many cybersecurity researchers have discovered or theorized about the group. It typically initiates attacks through phishing emails containing malicious links, often using password-protected zip files that, when opened, install the Qakbot banking trojan. This trojan establishes a backdoor and deploys SystemBC to create an encrypted connection to a command and control server.Once inside a network, Black Basta uses Cobalt Strike for reconnaissance and to deploy additional tools across the compromised network. The group also uses legitimate remote access software to maintain persistence, while disabling antivirus and endpoint detection systems. For data theft and exfiltration, they rely on tools like Mimikatz and Rclone.The ransomware deployment phase involves encrypting files with the ".basta" extension as part of a double extortion strategy. Interestingly, Black Basta doesn't immediately present ransom demands, instead giving victims a 10-12 day window to make contact before potentially leaking stolen data. The group has also adopted social engineering techniques, including making phone calls to establish initial contact with company personnel, similar to methods used by other cybercriminal groups like Scattered Spider.Black Basta's target selection process is methodical, maintaining a spreadsheet of potential victims rather than choosing targets randomly. They leverage business intelligence platforms like ZoomInfo to research and select their targets, demonstrating a calculated approach to their operations.Taking advantage of this treasure trove of information, security firm Hudson Rock fed the chat transcripts into ChatGPT. The result is BlackBastaGPT, a new resource to assist researchers in analyzing Black Basta's operations more effectively.